b"March 23, 2001\n\n\n\nMEMORANDUM FOR            SANDRA N. BATES\n                          COMMISSIONER\n                          FEDERAL TECHNOLOGY SERVICE (T)\n\n\nFROM:                     DAVID K. STONE\n                          REGIONAL INSPECTOR GENERAL FOR AUDITING\n                          GREAT LAKES REGION (JA-5)\n\nSUBJECT:                  Review of Center for Information\n                          Security Services, Federal Technology Service\n                          Report Number A001031/T/5/Z01003\n\nThis report presents the results of our review of the Center for Information Security\nServices. A draft of the report was submitted to you for your comments. The comments\nwere considered in preparing the final report and are included in their entirety as an\nappendix. We wish to express our appreciation to the officials and other employees of\nthe Center for Information Security Services for their cooperation and courtesies\nextended during the review.\n\nSection 810, Prompt Resolution of Audit Recommendations, of the National Defense\nAuthorization Act (Public Law 104-106), effective February 10, 1996 directs that\nmanagement decisions are required within six months of the audit report issue date.\nNevertheless, as required by GSA Order ADM P 2030.2B, a time-phased plan of action\naddressing the report recommendations and the Management Decision Record for\nInternal Audit (MDR) should still be submitted within 60 days. Section B of the MDR\nshould be completed. Please submit the complete package to the Assistant Inspector\nGeneral for Auditing (JA), with a copy to the Audit Followup and Evaluation Branch\n(BECA).\n\nFinal actions on all management decisions must be completed within 12 months of the\naudit report issuance date; otherwise the OIG will be required to report in its\nSemiannual Reports To Congress matters on which final actions remain open 12\nmonths after the report issue date. Therefore, upon completion of negotiations, send a\ncopy of the negotiation memorandum to the Regional Inspector General for Auditing\n(JA-5) in accordance with GSA Order ADM P 2030.2B.\n\x0cAttached is a Customer Satisfaction Questionnaire, developed to obtain feedback\nregarding whether the report and related audit services meet customer expectations.\nWe request that the primary user of this report complete the questionnaire and return it\nin the enclosed envelope to:\n\n                                Treva Crawford\n                                Director, Operation Staff (JAO)\n                                General Services Administration\n                                Office of Inspector General\n                                18th and F Streets, NW. Room 5316\n                                Washington, DC 20405\n\nIf you have any questions, please contact Franklin Moy or me on (312) 353-7781,\nextensions 112 and 110, respectively.\n\x0c               REVIEW OF\nCENTER FOR INFORMATION SECURITY SERVICES\n      FEDERAL TECHNOLOGY SERVICE\n    REPORT NUMBER A001031/T/5/Z01003\n              MARCH 23, 2001\n\x0c                             REVIEW OF\n              CENTER FOR INFORMATION SECURITY SERVICES\n                    FEDERAL TECHNOLOGY SERVICE\n                  REPORT NUMBER A001031/T/5/Z01003\n\n\n                             TABLE OF CONTENTS\n                                                                        PAGE\n\n\nREPORT LETTER                                                             1\nINTRODUCTION                                                              2\n    Background                                                            2\n    Objectives, Scope and Methodology                                     3\nRESULTS OF REVIEW                                                         4\n    Brief                                                                 4\n    Findings and Recommendations                                          5\n            Finding 1 \xe2\x80\x93 Overspent Customer Orders Deplete The IT Fund     5\n            Finding 2 \xe2\x80\x93 Excess Customer Funds                            12\n            Finding 3 \xe2\x80\x93 Transferring Funds Between Orders                18\nMANAGEMENT\xe2\x80\x99S PRELIMINARY RESPONSE                                        20\nINTERNAL CONTROLS                                                        20\nAPPENDICES\n    A. Examples of Overspent Customer Orders                             21\n    B. Excess Funds That Should Be Considered for Deobligation\n       As of November 2000                                               23\n    C. Examples of Excess Customer Funds                                 24\n    D. FTS Commissioner\xe2\x80\x99s Response to the Draft Report                   27\n    E. Report Distribution                                               28\n\x0c   DATE:    March 23, 2001\nREPLY TO\nATTN. OF:   Regional Inspector General for Auditing, Great Lakes Region (JA-5)\n\nSUBJECT:    Review of Center for Information Security Services\n            Federal Technology Service\n            Report Number A001031/T/5/Z01003\n\n      To:   Sandra N. Bates, Commissioner\n            Federal Technology Service (T)\n\n            This report presents the results of the Office of Inspector General\xe2\x80\x99s review of the\n            Center for Information Security Services (CISS).\n\n            CISS, formerly known as the Office of Information Security, provides support services\n            to federal agencies with national security defense, diplomatic, and communications\n            missions.\n\n            This review was conducted as part of the Office of Inspector General\xe2\x80\x99s annual audit\n            plan. Our specific audit objectives were to answer the following questions: Is CISS\n            effectively managing and properly using customer funds? If not, what is the effect on\n            customer funds? If the effect is significant, what can be done to improve the order\n            management process?\n\n            CISS provided goods and services to its customers without always obtaining adequate\n            funding. CISS overspent 280 customer orders by $6.4 million since fiscal year 1993.\n            Additionally, CISS has many customer orders with excess funds that are unused and\n            apparently unneeded. We determined that excess funds, some from orders dating as\n            far back as 1993, are valued at about $7.9 million. Lastly, CISS did not always ensure\n            that transfers of funds were between orders having a similar purpose and scope.\n\n            We believe these problems have occurred because CISS, due to a fragmented\n            organizational structure, has not developed policies and procedures that reflect its\n            current operating needs.\n\n            We have included your written response to the draft report as an appendix to this\n            report.\n\n\n\n            FRANKLIN M. MOY\n            Audit Manager\n            Great Lakes Region (JA-5)\n\n                                                     1\n\x0c                                REVIEW OF\n                 CENTER FOR INFORMATION SECURITY SERVICES\n                       FEDERAL TECHNOLOGY SERVICE\n                     REPORT NUMBER A001031/T/5/Z01003\n\n                                    INTRODUCTION\n\nBACKGROUND\nThe Center for Information Security Services (CISS), formerly known as the Office of\nInformation Security prior to October 1, 2000, provides support services to federal\nagencies with national security defense, diplomatic, and communications missions. In\naddition, CISS develops Government policy on information security matters. CISS\nofficials have often served as Government-wide executives charged with assuring that\nFederal agencies\xe2\x80\x99 information security programs are in line with Government policies.\n\nHistorically, the repair and maintenance of secured communications equipment has\nbeen a core part of CISS\xe2\x80\x99 business. However, over the years, the organization evolved\ninto a provider of higher-level systems, including state of the art, multi-agency,\ninternational secured communication services. During the 1990s, CISS became an\ninternational organization of over 400 employees, with field offices located in Europe\nand the Pacific Rim.\n\nCISS provides information security services to requesting agencies on a reimbursable\nbasis. CISS classifies its information security workload into three distinct service areas.\nThese areas are 1) individual time and materials work, 2) recurring monthly\nmaintenance and repair work, and 3) contracting services for a fixed fee. Contracting\nservices can involve both the acquisition and installation of equipment. By 1999,\ncontracting work had become the staple of CISS\xe2\x80\x99 operations, accounting for up to 45\npercent of its work.\n\nCISS, until recently, operated on an advance bill basis, with the requesting agency\nobligating and disbursing funds prior to the start of work. CISS personnel advised us\nduring our review that they had changed to standard billing. Under standard billing, the\nrequesting agency disburses funds as work is completed.\n\nCISS, although staffed with capable people, encountered difficulty responding to the\ntremendous pace of change in the information security arena. Our review found that\nCISS employees simply were not provided the tools to properly manage their accounts.\nIn recent years, CISS was plagued by substantial losses, amounting to 10 to 20 percent\nof service revenues. In response to the losses, the Federal Technology Service (FTS)\nreorganized CISS effective October 1, 2000. Most CISS field offices are now under the\ncontrol of the region in which they are physically located. International operations are\nnow managed by other FTS business lines. The remaining main CISS activity is the\ncore information security services group, which is the subject of this audit report.\n\n\n                                            2\n\x0cOBJECTIVES, SCOPE AND METHODOLOGY\n\nThis review was conducted as part of the Office of Inspector General\xe2\x80\x99s annual audit\nplan. Our specific audit objectives were to answer the following questions:\n\n1. Is CISS effectively managing and properly using customer funds?\n\n2. If not, what is the effect on customer funds?\n\n3. If the effect is significant, what can be done to improve the order management\n   process?\n\nTo accomplish our objective, we:\n\n\xe2\x99\xa6 Performed a computer analysis of the entire database of CISS\xe2\x80\x99 customer orders,\n  which dates back to 1993, determining obligated amount, billed amount, accrued\n  amount, and the dollar balance for each of over 2,000 open orders;\n\n\xe2\x99\xa6 Used the computer analysis to construct a comprehensive evaluation of CISS\xe2\x80\x99\n  income accruals totaling over $18 million;\n\n\xe2\x99\xa6 Reviewed 77 customer orders, dating from fiscal year 1993 through fiscal year 2000,\n  and related accounting and financial records as necessary;\n\n\xe2\x99\xa6 Interviewed CISS personnel regarding order processing and billing procedures, and\n  the procedures for handling and controlling customer obligations;\n\n\xe2\x99\xa6 Visited two field offices and interviewed six field technicians regarding changes\n  within the organization and in the nature of CISS\xe2\x80\x99 work;\n\n\xe2\x99\xa6 Discussed the accounting entries for CISS' customer orders with officials from GSA's\n  Greater Southwest Finance Center, especially the areas of income accruals and\n  advance billings; and\n\n\xe2\x99\xa6 Discussed FTS financial management policy with GSA\xe2\x80\x99s Office of the Chief Financial\n  Officer and GSA\xe2\x80\x99s Office of General Counsel.\n\nWe did our onsite review from June through November of 2000. The audit was\nperformed in accordance with generally accepted Government auditing standards.\n\n\n\n\n                                            3\n\x0c                                REVIEW OF\n                 CENTER FOR INFORMATION SECURITY SERVICES\n                       FEDERAL TECHNOLOGY SERVICE\n                     REPORT NUMBER A001031/T/5/Z01003\n\n                                 RESULTS OF REVIEW\n\nBRIEF\nCISS provided goods and services to its customers without always obtaining adequate\nfunding. As a result, CISS overspent 280 customer orders by $6.4 million since fiscal\nyear 1993. CISS has paid expenses for these orders using reserves from the\nInformation Technology Fund (IT Fund), consequently reducing the cash levels of the IT\nFund. This situation has hindered FTS\xe2\x80\x99 efforts to increase the balance of the IT Fund.\n\nCISS has not obtained additional funds for many of these overspent orders. CISS\xe2\x80\x99\naccounting practices have postponed the need for taking action on overspent orders,\nthereby increasing the likelihood that many of these orders are uncollectable. This\nsituation has resulted in potentially inaccurate financial reports including, in particular,\noverstatements of prior years\xe2\x80\x99 income for CISS operations.\n\nCISS has many customer orders with excess funds that are unused and apparently\nunneeded. We determined that excess funds, some from orders dating as far back as\n1993, are valued at about $7.9 million. CISS has no written procedures for the\ndisposition of these excess funds, and many of these balances appear to have been\nforgotten.\n\nAdditionally, CISS regularly transfers funds between orders without always ensuring\nthat they have a similar purpose and scope. Therefore, CISS may not be fulfilling its\nfiduciary responsibility to properly manage customer funds.\n\nWe believe these problems have occurred because CISS, due to a fragmented\norganizational structure, has not developed policies and procedures that reflect its\ncurrent operating needs. CISS\xe2\x80\x99 primary type of work has changed dramatically in\nrecent years from recurring maintenance and repair agreements to contracting services.\nHowever, the organization has relied on the same basic policies and procedures for\nmanaging customer orders as it did in the past. Contracting services, which now\nrepresent about 85 percent of CISS\xe2\x80\x99 gross revenue, often involve large sums of funds\nand cross fiscal years. For example, contracting services accounted for $116,856,500\nof CISS\xe2\x80\x99 gross revenue for fiscal year 1999; about $100,000,000 of this amount\nrepresented flow-through costs. Because of the increased financial risks they present,\nthese orders require a much more rigorous order management system than the one\nCISS\xe2\x80\x99 had developed to support its traditional recurring maintenance and repair work.\n\nWe previously issued a report, dated November 29, 2000, alerting FTS management to\nthe findings described in this report. This report, however, describes those findings in a\nmore comprehensive manner.\n\n                                             4\n\x0c                             FINDINGS AND RECOMMENDATIONS\n\n\nFINDING 1 \xe2\x80\x93 OVERSPENT CUSTOMER ORDERS DEPLETE THE IT FUND\n\nOur review showed that CISS overspent 280 orders by a total of over $6.4 million as of\nNovember 9, 2000. CISS has consistently overspent orders since 19931. In fact, our\nanalysis shows that CISS overspent at least 59 orders by a total of about $423,030 in\ncalendar year 2000 alone.\n\nCISS\xe2\x80\x99 over-expenditures deplete the IT Fund. CISS is funded on a reimbursable basis\nusing the IT Fund. When CISS provides services to customers in excess of available\ncustomer funds, CISS pays the cost overruns out of the IT Fund.\n\nFurthermore, a substantial portion of CISS\xe2\x80\x99 expenditures for overspent orders\nrepresented direct payments to vendors or contractors as shown in the chart below.\nUnlike the fixed costs associated with using CISS\xe2\x80\x99 internal resources, the variable cost\nof contracting services poses an unlimited financial risk to CISS. By providing\ncontracting services in excess of available customer funds, CISS is essentially buying\nsome services for the customer agency for free! The potential for financial loss is\nunlimited as long as CISS continues to provide contracting services without recovering\nthe flow-through costs.\n\n\n                                           Overspent Amounts\n                                            By Service Type\n\n                 $4.0 million (63%)                                  Payments to\n                                                                     Vendors or\n                                                                     Contractors\n                                                                     Internal CISS\n                                                                     Resources\n                                              $2.4 million (37%)\n\n\n\nFor example, three Navy orders from 1997 and 1998 (customer order numbers\n97002043, 98002043, 97002158) illustrate the impact of overspending orders for\ncontracting services. These orders collectively represent payments to contractors\ntotaling $392,064 more than available customer funds. From 1997 to February of 1999,\nCISS purchased $5,052,874 of computer equipment from outside vendors for this\ncustomer. As of November 2000, the customer\xe2\x80\x99s funding totaled only $4,660,810.\nCISS paid the shortfall of $392,064 using IT Fund reserves.\n\n\n1\n  Due to the limitations of CISS\xe2\x80\x99 customer order database, our data includes only open orders dating back\nto fiscal year 1993 as of November 9, 2000.\n\n\n                                                   5\n\x0cExpenses in excess of available customer funds such as those mentioned above\nimpose a considerable financial strain on the IT Fund. FTS has had consistent\nproblems, dating back to 1997, maintaining the balance of the fund. In fact, FTS has\nrelied on transfers from PBS in recent years to maintain the balance of the IT Fund.\nCISS\xe2\x80\x99 overspending practices have contributed to the declining balance of the fund and\nhave made effectively managing the fund more difficult.\n\nAll components of GSA are subject to GSA Order ADM 4200.2A, Administrative Control\nof Funds. This order states that the reimbursable effort is constantly monitored to make\nsure that expenditures do not exceed the amounts allowed. The order also states that\nan obligation for reimbursable work is not made, or work started until a firm written\nagreement is executed between the performing GSA organization and the requesting\nFederal agency. Our review noted that sometimes CISS would provide services without\nreceiving the requesting agency\xe2\x80\x99s purchase order. In doing so, and in overspending\norders, CISS has not adhered to this order.\n\nOur on-site review found that CISS employees regularly transferred funds from one\norder to another order to offset overspent amounts. However, our analysis of Federal\nfinancial management regulations (appropriations law) indicated that any transfer of\nfunds from one order to another without a consideration of the bona fide needs rule is\ninappropriate. See FINDING 3 \xe2\x80\x93 TRANSFERRING FUNDS BETWEEN ORDERS for a discussion\nof this issue.\n\nEffect of Income Accruals on Financial Statements\nCISS\xe2\x80\x99 accounting practices decreased the likelihood that overspent orders would be\ncollected, resulting in an overstatement of income. Additionally, these practices\nresulted in a misstatement of CISS\xe2\x80\x99 financial position by overstating asset and liability\naccounts.\n\nCISS\xe2\x80\x99 billing system treated the overspent amount as an unbilled income accrual. In\nother words, an unbilled income accrual is an accounting entry recognizing income\nbefore actual receipt of payment. In general, accrual entries are automatically reversed\nat the beginning of the next month in order to prevent a duplication of income when\npayment is received. However, CISS accrued, reversed, and then re-accrued\noverspent amounts with the assumption that CISS would bill the customer at some point\nin the future and at that time would recognize the overspent amount as earned income.\nThe table below shows examples of accruals that were repeated in fiscal years 1998,\n1999, and 2000:\n\n\n\n\n                                           6\n\x0c                  Examples of Accruals Repeated in 1998, 1999, 2000\n                                      1\n               Order #   Year Created     1998 Accrual 1999 Accrual 2000 Accrual\n             93000209         1993        $    38,984   $    38,984    $    38,984\n             94000748         1994        $   136,122   $   136,122    $ 136,122\n             96001482         1996        $   580,237   $   580,237    $ 580,237\n             96001825         1996        $   545,644   $   545,644    $ 545,644\n             96001462         1996        $   231,167   $   176,333    $ 176,333\n             96001488         1996        $    85,485   $    85,485    $    85,485\n             96001471         1996        $    34,317   $    34,317    $    34,317\n             96000779         1996        $    29,704   $    29,704    $    29,704\n             96000937         1996        $    25,328   $    25,328    $    25,328\n             96000356         1996        $    21,517   $    21,517    $    21,517\n             96001492         1996        $    21,501   $    21,501    $    21,500\n             96000961         1996        $    15,872   $    15,872    $    15,872\n               Total                                                   $ 1,711,043\n       1\n           Our test was for the years indicated. These accruals could have begun in the year the\n           order was created.\n\nCISS did not always obtain additional funding for overspent orders nor did management\ndefine a point at which overspent amounts were declared uncollectable. Thus, unbilled\nincome could stay on the books indefinitely while CISS waited to receive additional\nfunds. The longer CISS waited to contact the customer regarding additional funds, the\nless likely it became that those funds could be collected. By not obtaining additional\nfunds and by repeatedly accruing these overspent amounts, CISS has overstated its\nincome in previous years.\n\nOur analysis of accruals posted in November of 2000 indicated that uncollectable\namounts could total at least $1.4 million. For the purposes of our analysis, we defined\norders with a date of last service prior to calendar year 1999 uncollectable. CISS had\n93 orders with unbilled overspent amounts totaling $1.4 million. See Appendix A for\nsome examples of these and other overspent orders. These unbilled amounts appear\nto be well past the point of being collectable. CISS can not continue to accrue these\namounts as income and should declare them uncollectable or, if possible, collect\nadditional funds from customers to cover these overspent amounts.\n\nImpact on Financial Position\nOverspending has caused a misrepresentation of CISS\xe2\x80\x99 accounts and has affected\nFTS\xe2\x80\x99s ability to accurately project future expenditures out of the IT Fund. In addition to\nrecording overspent amounts as accrued income, CISS has recorded available\ncustomer funds as accrued income as well. If a charge for services is only partially\nunfunded, CISS\xe2\x80\x99 billing system creates an income accrual entry for the entire charge.\nFor example, as of November 2000, customer order number 96001825 for the\nSecurities and Exchange Commission (SEC) had $534,929 available. In April 1997,\n\n                                                    7\n\x0cservices totaling $545,644 were charged against this order. Since the system could not\napply a partial charge to an order, the whole charge was treated as an unbilled income\naccrual. However, the amount overspent was only $10,715. The available customer\nfunds ($534,929) should have been posted to earned income. Otherwise, CISS\xe2\x80\x99\ndeferred income account is overstated.\n\nInappropriate income accruals, such as the one described above, cause inaccuracies in\nCISS\xe2\x80\x99s financial statements and reports. For example, when GSA received payment\nfrom the SEC for the order described above, the $534,929 was recorded as a debit to\ncash and a credit to deferred income. When the $545,644 charge was applied to the\norder, CISS recorded the entire amount as a debit to unbilled receivables and a credit to\naccrued income.\n\nUnder CISS\xe2\x80\x99 incorrect entries, the amount of available funds ($534,929) from SEC was\nrecorded twice on GSA\xe2\x80\x99s books: once as a debit to cash with a credit to deferred\nincome, and again as debit to unbilled receivables with a credit to accrued income.\nUnder the correct entries, the available funds would have been posted to earned\nincome (with a commensurate reduction in deferred income) and only the overspent\namount would have been treated as accrued income (with a commensurate increase to\nunbilled receivables).\n\nOverall, of the approximate $13.3 million of accruals that represented overspending as\nof November 9, 2000, about $6.5 million represented available customer funds.\nAmounts totaling about $6.5 million were entered into the deferred income account and\nwere never credited out even after CISS had performed services for the customer.\nLikewise, these amounts were inappropriately recorded as unbilled receivables. These\nentries result in an overstatement of GSA\xe2\x80\x99s liabilities and accounts receivable.\n\nIn addition to the overstatements of assets and liabilities, CISS\xe2\x80\x99 Customer Unfilled\nOrders Report has been overstated as well. This report is used to estimate CISS\xe2\x80\x99 future\nexpenditures and to determine CISS\xe2\x80\x99 authority to incur obligations. By misrepresenting\ntheir financial position and overstating their amount of unfilled customer orders, CISS\nhad increased the difficulty of effectively managing the IT Fund.\n\nCauses of Overspending\nWe believe CISS\xe2\x80\x99 overspent order problem has been caused by a combination of\nfactors as follows:\n\nCISS had a fragmented organizational culture. CISS had a fragmented organization\nand had not developed a strong culture for coordination and communication between\ndepartments. Employees from several different departments were involved in order\nmanagement and had little need to closely coordinate their work. Historically, most\nagreements were for recurring maintenance and repair services, which meant that\nCISS\xe2\x80\x99 fees remained constant regardless of the amount of work CISS did. A technician\nprovided services at the customer\xe2\x80\x99s request, an account executive communicated with\nthe customer regarding service agreements and terms, a financial manager processed\n                                           8\n\x0cthe financial documentation, and the need for frequent communication between the\ndepartments was relatively minor.\n\nThe following example demonstrates how CISS\xe2\x80\x99 fragmented organization and lack of\ncommunication led to mistakes of great magnitude. Air Force order number 98001961\nhad an available balance of over $970,000 as of August 2000. Charges for this order\ntotaling about $921,000 were mistakenly applied to order number 98001294 which was\ncreated in fiscal year 1998 for the Justice Department. This resulted in the Justice\nDepartment order appearing overspent by almost $800,000. Assuming that the Justice\nDepartment order had simply been overspent, the project manager responded to the\nnegative balance by transferring about $526,000 to the order from order number\n99001961 created in fiscal year 1999 for the same customer. By transferring funds from\none order to the other without ensuring that the services were the same or that the\ncustomer was the same, Justice Department funds were used to cover an Air Force\norder.\n\nCISS employees did not have easy access to up-to-date order information. As\nCISS began providing contracting services, technicians could incur expenses without\nthe project manager's knowledge. Where a well-designed and easily accessible order\nmanagement system might have solved this problem, CISS\xe2\x80\x99 databases resembled the\nold CISS for which they were created; they were fragmented and obsolete.\n\nAn improved order management system could prevent CISS from being liable for their\ncustomer\xe2\x80\x99s expenses. Customer order number 97002247 for the State Department was\noverspent by over $857,000 as of August 2000. Our review determined that over\n$801,000 of the shortfall represented the services of one contractor CISS had procured\nto perform work for the customer.\n\nThe contractor billed GSA $801,733 for services provided the State Department during\nthe period June 1, 1999 through April 28, 2000. Further analysis showed that the State\nDepartment, although the contractor was performing work at one of their locations, did\nnot obligate funds to reimburse CISS until April 10, 2000. Additionally, we determined\nthat CISS did not issue a purchase order covering the contractor\xe2\x80\x99s invoice for $801,733\nuntil April 14, 2000.\n\nOur conclusion was that a \xe2\x80\x9cscramble\xe2\x80\x9d occurred to pay this contractor once it became\nknown that the State Department had not provided funding. A rigorous order\nmanagement system capable of \xe2\x80\x9cflagging\xe2\x80\x9d problem orders might have warned CISS\nofficials that funding for the contractor\xe2\x80\x99s services had not been provided. In this\ninstance, GSA would have been liable for the amounts due the contractor if the State\nDepartment had not belatedly obligated the funds.\n\nProject managers lost track of the orders they were supposed to be managing.\nCISS management attempted to improve these problems by turning account executives\nand some technicians into project managers who provided \xe2\x80\x9ccradle-to-grave\xe2\x80\x9d order\nmanagement. However, they did not develop an effective method of assigning orders.\nMany times during our review, we presented project managers with an order which they\n                                          9\n\x0costensibly managed only to hear that they had no idea the order existed. Upon further\ninvestigation, we found that account executives or project managers literally \xe2\x80\x9chanded\nover\xe2\x80\x9d orders to new project managers. The new project manager was responsible for\nupdating the assignment code in CISS\xe2\x80\x99 database. These records were incorrect more\noften than not.\n\nCISS employees were not held accountable for overspent orders.              Since\nmanagement had no definitive way of knowing which orders were assigned to the\ndifferent project managers, they had no way of evaluating each project manager\xe2\x80\x99s\nperformance. Consequently, they had no way of holding project managers accountable\nfor overspent orders.\n\nAs an example, the Air Force requested maintenance services for 1994 under customer\norder number 94000089. CISS continued to provide services into 1996 and overspent\nthe order by $87,760. When a CISS employee noticed the accrued charges in 1996\nand tried to contact the customer to obtain the additional funds, the customer refused to\npay. CISS management acknowledged the overspent amount, but there was no\nindication in the order file that someone was held responsible for this overspent amount.\nDespite the unsuccessful attempt to obtain additional funds, CISS continued to accrue\nthese charges as unbilled income.\n\nCISS did not have appropriate financial management policies. The Clinger-Cohen\nAct of 1996 caused some confusion on financial management policy that led CISS\nemployees to believe that customer funds could be used more liberally than before.\nMany employees believed that excess funds from one order could be transferred to\nother orders to make up for unfunded amounts. The common practice of transferring\nfunds seemed to encourage project managers to create new orders and provide\nservices to customers without first obtaining an obligating document. The employees\nthought funds could easily be transferred from prior orders to future orders. See\nFINDING 3 \xe2\x80\x93 TRANSFERRING FUNDS BETWEEN ORDERS for more regarding this practice.\n\nFor example, we found a number of orders which had no purchase orders associated\nwith them at all. In one case involving Navy order numbers 99000194 and 00000194,\nCISS performed about $131,000 worth of services without obtaining funds from the\ncustomer. When questioned about the unfunded orders, the project manager indicated\nthat $141,000 from order number 98000194 for the same customer could be transferred\nto the unfunded orders to cover the charges, as was the common practice within CISS.\nIn this particular case, CISS\xe2\x80\x99 practice of transferring funds might have offset the\noverspent amounts; however, in other cases where there were no excess funds, the\nassumption that they could transfer funds seems to have encouraged overspending.\nFor example, CISS provided services totaling about $190,000 to the Army under two\ncompletely unfunded customer order numbers (97001941 and 97001942). Funding for\nthese orders was supposed to come from order number 96000253; however, CISS\noverspent this order as well.\n\nIn addition to CISS\xe2\x80\x99 lack of appropriate financial management policies, CISS did not\nhave appropriate accounting policies for recording these overspent amounts. CISS\n\n                                           10\n\x0cmanagement did not define a period after which charges were declared uncollectable\nand written off. Unbilled amounts could stay on the books as income accruals\nindefinitely while CISS waited to receive more funds from the customer. However, the\nlonger CISS waited to contact the customer regarding additional funds, the less likely it\nwas that those funds would be collected.\n\nFor example, even after the project manager unsuccessfully attempted to collect\noverspent amounts in 1996 for customer order number 94000748, CISS continued to\naccrue the charges as income four years later.\n\nIn conclusion, CISS continued to manage orders based on relatively simple\nmaintenance agreements even after the organization began to provide customers with\nmore complex and costly services involving procurement. The order management\nsystem they had relied upon in prior years was not rigorous enough to keep track of\nmultiple types of services and orders. By not instituting controls to encourage more\nrigorous order management and by not holding employees accountable when orders\nwere overspent, CISS management created an implicit policy to continue services to\ncustomers even if funds were not available.\n\nRecommendations\nWe recommend that the Director, Center for Information Security Services:\n1A. Take immediate action to reconcile overspent orders and contact customers to\n    determine if additional funds can be provided. If not, the Center for Information\n    Security Services must write off the overspent amounts, in accordance with proper\n    accounting procedures;\n\n1B. Develop an order management system which allows timely access to accurate\n    financial management data for all parties involved in managing customer orders.\n    Such a system should also include an accurate inventory of project managers\xe2\x80\x99\n    order assignments; and\n\n1C. Institute written policy establishing proper procedures for incurring obligations which\n    ensures that employees do not obligate Government funds before obtaining funding\n    from the requesting agency, in accordance with GSA\xe2\x80\x99s financial management\n    policy.\n\n\nFTS Commissioner\xe2\x80\x99s Comments\n\nThe Commissioner, Federal Technology Service, concurred with the recommendations.\n\n\n\n\n                                            11\n\x0cFinding 2 \xe2\x80\x93 Excess Customer Funds\n\nCISS has over 500 customer orders with large unused funding balances, which appear\nto be excess funds. We conservatively estimate the value of these excess funds at over\n$7.9 million2 as of November 2000. Please see Appendix B for a breakout of this\namount by year. These excess funds represent orders from as long ago as 1993 with\nremaining balances as high as $900,000. CISS has no clear policy for dealing with\nexcess funding. As a result, Government funds are not put to best use, and CISS\xe2\x80\x99\ncustomers are not given the opportunity to recoup and reprogram funds in a manner\nthat best serves their agency and the taxpayer. Furthermore, CISS accepted\nsubstantial funds from customers who may not have had a current bona fide need for\nthe services to be provided.\n\nOur analysis of CISS\xe2\x80\x99 customer database found that CISS kept customers\xe2\x80\x99 excess\nfunds for several years after the original work was apparently completed. For some\ncustomer orders, the remaining balances are significant, with some orders showing\nremaining balances totaling $900,000. The table below shows customer orders, whose\nlast activity was prior to January 1999, with remaining balances of $40,000 or more:\n\n                      Customer                     Date of                           Balance\n                                                             1                                2\n                      Order No.                  Last Service                       Remaining\n                       93000224                       10/1/94                      $       44,080\n                       94000214                        6/1/96                      $       48,762\n                       97001568                        1/1/97                      $       44,057\n                       97000837                       10/1/97                      $       92,309\n                       97000908                       10/1/97                      $       64,031\n                       96000790                       11/1/97                      $       50,238\n                       96001672                        2/1/98                      $       89,677\n                       96001597                        4/1/98                      $       60,457\n                       97000561                        4/1/98                      $       50,000\n                       98000123                        6/1/98                      $       93,014\n                       98002352                        6/1/98                      $       48,739\n                       97001138                        8/1/98                      $       96,776\n                       94000577                        9/1/98                      $       42,718\n                       97002147                       10/1/98                      $      218,368\n                       98001473                       11/1/98                      $      914,621\n\n\n              1\n               Date of Last Service \xe2\x80\x93 Date of the last service charge entered for this order number\n              2\n               The balance remaining represents at least 20 % of the original funds obligated by the\n               customer\n\n\n\n\n2\n  Our review of CISS\xe2\x80\x99 customer database revealed the existence of 503 customer orders whose last\nservice date was December 1999 or earlier. The combined value of these orders was over $7.9 million.\nIncluded among these orders were 199 customer orders, with remaining balances totaling about $1.4\nmillion, whose last service date was December 1997 or earlier.\n\n\n                                                           12\n\x0cThe customer orders shown have been dormant since as long ago as 1994. We\nconcluded that these orders should be returned to the customer or U.S. Treasury. For\nfurther examples of excess funds, refer to Appendix C. During the audit, we provided a\ncomplete list of orders with excess funds to the CISS\xe2\x80\x99 Director of Business\nManagement.\nCISS received about 85 percent of its customer funding on an advance bill basis, i.e.,\nthe requesting agency obligated and disbursed funds prior to the start of work. Our\nlimited contact with customers indicated that they believed that funds had been\nobligated and disbursed, and that the orders were closed. However, our overall review\nshowed that customer personnel often did not know that their orders contained unused\nfunds. More importantly, some customers believed that the unused funds were better\noff remaining in the IT Fund, since they had lost the ability to recoup and reprogram the\nfunds.\n\nGSA\xe2\x80\x99s Policies Focus on Bona Fide Need\nGSA\xe2\x80\x99s policies regarding the acceptance and use of customer funds have as their basis\nthe bona fide needs rule as stated in Title 31, U.S. Code, \xc2\xa7 1502. Funds may be\nobligated only to meet a legitimate, or bona fide, need arising in the fiscal year for which\nthe appropriation was made. The requesting agency must have a bona fide current\nneed for the goods and services to be provided by GSA at the time the agency enters\ninto the interagency agreement. GSA\xe2\x80\x99s policy for continued use of customer funds once\nthe original order is concluded is as follows:\n\n       Customer agencies may ask GSA to use these (excess) funds for another\n       task. To validate the request, customer agencies must assure GSA that\n       the same bona fide requirement still exists that was present at the time of\n       the original obligation, and that the scope of the work remains unchanged.\n\nGSA\xe2\x80\x99s policy regarding the return of excess customer funds is based on a continuation\nof the same bona fide need articulated in the original agreement:\n\n       The agency must continue to have a need for the requirements described\n       in the interagency agreement. If no further need for the requirements\n       exists or the requirements are not within the scope of the interagency\n       agreement, any remaining uncommitted funds must be deobligated from\n       the IT Fund.\n\nIn our opinion, if an order has not experienced activity for over a year, we are\ndoubtful that a continuing bona fide need exists.\n\nCustomers Not Using Funds\nCertain customers with current activity held large fund balances while requesting a\nlimited amount of work. For example, on November 2000, Air Force order number\n00000738 had almost $540,000 in available funds while the value of its task orders was\nabout $25,000. More significantly, this order was funded primarily by purchase orders\n\n                                            13\n\x0cwith 1997, 1998, and 1999 acceptance dates. CISS personnel explained that this order\nserved as the customer\xe2\x80\x99s \xe2\x80\x9ccheckbook account,\xe2\x80\x9d with funds continually transferred to\nother Air Force orders. We suspect that the Air Force did not have an immediate use\nfor the funds on this order, which had an available balance as high as $925,000 during\nAugust 2000. Furthermore, funding associated with this order was not being used, even\nthough substantial periods of time had elapsed. The following table shows that\nsubstantial amounts belonging to Air Force order number 00000738 were unused, even\nthough the purchase orders were accepted during 1997 and 1998:\n\n\n    EXAMPLES OF PURCHASE ORDERS ASSOCIATED WITH AIR FORCE ORDER 00000738\n\n            Purchase             Amount         Purchase Order         Balance at\n          Order Number          Allocated      Acceptance Date       November 2000\n       NMIPR0097927811      $       154,147   September 26, 1997   $         138,470\n       NMIPR9892008046      $        63,559    August 28, 1998     $          63,559\n       NMIPR0098927524      $        22,400   September 2, 1998    $          22,400\n       NMIPR0098927600      $        40,000   September 14, 1998   $          40,000\n       NMIPR0098927601      $        34,879   September 15, 1998   $          34,879\n\nWe concluded that customers providing funding under order 00000738 did not have a\ncurrent bona fide need for the services described on their purchase orders.\n\nExcess Funds Not Best Use of Government Funds\nWe believe that carrying these excess balances, with no apparent need for the funds,\ndoes not represent the best use of Government funds. The amounts we concluded\nrepresented excess funds, totaling over $7.9 million, represent a considerable amount\nof lost interest if the principal is dormant in the IT Fund. We concluded that, based on\nage and inactivity, the bona fide needs represented by the orders no longer exist.\nTherefore, the funds should be deobligated from the IT Fund, in accordance with GSA\npolicy.\n\nAdditionally, Government agencies, which depend on yearly appropriations, lose the\nability to recoup and reprogram the funds for alternate uses after only a short amount of\ntime. CISS, by not giving proper attention to the excess funds, has lost opportunities to\ngain business and increase revenue without having to search for new customers.\nCustomer funds that are not needed should be returned to the customer or the U.S.\nTreasury. As a matter of good business practices, CISS should determine fund\nbalances promptly after completing an order and contact the customer for appropriate\ndisposition.\n\nCauses of Excess Funds\nWe determined several causes for the large amount of unused and apparently\nunneeded customer funds. CISS management had no written procedures implementing\nGSA\xe2\x80\x99s policy on excess funds. CISS employees were not knowledgeable about basic\nstatutory authority underpinning GSA\xe2\x80\x99s Government-wide information technology\n\n                                              14\n\x0cprograms. Instead, CISS adhered to an ill defined \xe2\x80\x9cfive-year policy\xe2\x80\x9d regarding the\navailability of customer funds.\n\nCISS management did not have procedures to deal with unused funds in\naccordance with GSA policy. While CISS personnel continually spoke of their\npractice of retaining customer funds for up to five years, they could not articulate the\nbasis for this practice. Our review indicated that the practice was the result of a\nmisunderstanding of a 1991 change to OMB Circular A-34, which states that expired\naccounts have specific fiscal year identity for five years for adjustments to valid\nobligations after which they are permanently closed. However, this change does not\nalter the accounts\xe2\x80\x99 period of availability for obligation nor the bona fide needs\nrequirement. Accordingly, we believe this misinterpretation contributed to the existence\nof long-standing excess funds balances.\n\nCISS\xe2\x80\x99 reliance on an unfounded \xe2\x80\x9cfive year policy\xe2\x80\x9d prompted them to keep excess funds\nfrom customer orders instead of deobligating the money in accordance with GSA policy.\nTo illustrate, we examined Navy order number 96001521, accepted April 30, 1996, that\nhad 1996 charges totaling over $1.8 million. This dormant order had a remaining\nbalance of about $62,000 from November 1996 until July 2000. During July 2000, the\nNavy customer received over $55,000 of electronic equipment purchased by CISS\nalmost four years after the last recorded charge. It is interesting to note that the Navy\xe2\x80\x99s\nlast purchase orders for this order, dated May 15, 1996 and July 23, 1996, were to\n\xe2\x80\x9ccomplete the original request for ADP network appliances.\xe2\x80\x9d We doubt that the original\nbona fide need continued to exist in July 2000, since we feel that CISS would not wait\nalmost four years to complete the order. Overall, CISS has 503 customer orders, with\nno activity since December 1999 or earlier, with remaining balances totaling over $7.9\nmillion. We are skeptical as to whether the original bona fide need exists for the\nmajority of these orders. CISS should review these orders to determine their eligibility\nfor either additional work or deobligation from the IT Fund.\n\nCISS adhered to their \xe2\x80\x9cfive-year policy\xe2\x80\x9d despite clear directives from GSA to the\ncontrary. As stated above, GSA\xe2\x80\x99s policy indicates that if no further need for the funds\nexists the uncommitted balance must be deobligated from the IT Fund. This policy\nindicates that appropriate disposition of customer funds occur at the point of completion\nand not up to four years after work on the order has ceased. However, CISS policy was\nto hold the funds for up to five years, and, when the need arose, transfer the funds to\nthe customer\xe2\x80\x99s overspent orders (see FINDING 3\xe2\x80\x94TRANSFERRING FUNDS BETWEEN\nORDERS).\n\nCISS should institute a policy that gives employees clear guidance on the procedures to\nfollow if a customer\xe2\x80\x99s order is completed and excess funds are available. The policy\nshould direct employees to initiate disposition of the customer\xe2\x80\x99s funds on a timely basis,\nideally after a reconciliation has indicated that all charges and receipts have been\naccounted for. The policy should indicate that it is appropriate for the project managers\nto attempt to find uses for the funds as long as the customer can assure CISS that the\nsame bona fide need that formed the basis for the original work still exists. If the need\n\n                                            15\n\x0cno longer exists, the funds should be deobligated to the customer or U.S. Treasury so\nthat the funds can be put to better use.\n\nCISS employees lacked adequate training. CISS employees did not determine\nwhether the original bona fide need continued to exist when a project was completed.\nTherefore, new work was not created or substantial amounts of unneeded customer\ndollars were not deobligated from the IT Fund. In either case, Government funds were\nnot put to best use.\nIn addition to the bona fide needs rule, CISS employees were not adequately trained\nregarding the statutory authority for GSA\xe2\x80\x99s Government-wide information technology\nprograms. As an example, several CISS employees could not explain statements that\nappeared on many customer purchase orders to the effect that \xe2\x80\x9cthese funds are subject\nto the deobligation requirements of the Economy Act.\xe2\x80\x9d Our review determined that,\nunder section 5112 of the Clinger-Cohen Act, Office of Management and Budget (OMB)\ndesignated GSA as an executive agent for Government-wide acquisitions of information\ntechnology. Due to this specific authority, interagency agreements entered into under\nthe authority of OMB\xe2\x80\x99s designation are independent of the Economy Act and are not\nsubject to its deobligation requirements.\n\nWe concluded that CISS employees were not adequately trained in the basic statutory\nauthority underpinning GSA\xe2\x80\x99s Government-wide information technology programs.\nCISS employees responsible for customer orders worth millions of dollars should know\nand should be able to articulate to their customers the legal basis for the acceptance\nand use of customer funds. Our work with GSA\xe2\x80\x99s Office of General Counsel indicated\nthat basic training in the statutory authority for GSA\xe2\x80\x99s Government-wide information\ntechnology programs should include the following:\n\n\n\n\n                                         16\n\x0c                           POTENTIAL TRAINING TOPICS\n      Clinger-Cohen Act (Title 40 U.S. Code \xc2\xa7 1412(e))\n                 Specific authority to support agency purchases\n                 Office of Management and Budget designation\n\n      Economy Act (Title 31 U.S. Code \xc2\xa7 1535)\n               Relationship of Clinger-Cohen to Economy Act\n\n      Criteria for Recording Valid Obligations\n                   Evidence of a binding agreement\n                   Executed within period of availability\n\n      Bona Fide Needs Rule (Title 31 U.S. Code \xc2\xa7 1502)\n                 Application to acceptance and retention of customer funds\n                 Transfers of Funds Between Orders\n\n      Essential Elements of Interagency Agreements\n                  Basis of GSA\xe2\x80\x99s authority\n                  Bona fide need\n                  Identify funding\n                  Signatures\n\n      Military Interdepartmental Purchase Requests\n                    Used as a substitute for interagency agreement\n\n\nSummary\nCISS controls over $7.9 million in customer funds that appear to be excess. CISS\nshould identify the funds that can be used for additional work or deobligate them from\nthe IT Fund. CISS needs to ensure that orders accepted represent current bona fide\nneeds of the requesting agencies. Written procedures for properly disposing of excess\nfunds and employee training in the proper use and disposition of customer funds will\nhelp eliminate large amounts of excess funds in the future.\n\nRecommendations\nWe recommend that the Director, Center for Information Security Services:\n2A. Identify orders that are inactive and have excess funds, and then contact customers\n    to determine whether the bona fide need, as stated in the original interagency\n    agreement, still exists. If the need does not exist, the Center for Information\n    Security Services should deobligate the excess funds and return the funds to the\n    customer agency or the U.S. Treasury;\n\n\n\n                                           17\n\x0c2B. Ensure that orders accepted represent current bona fide needs of the customer\n    agencies;\n\n2C. Institute written policy on procedures to be followed if a customer\xe2\x80\x99s order is\n    completed and excess funds are available. This policy should state clearly when it\n    is appropriate to apply the customer\xe2\x80\x99s funds for additional work and when the funds\n    should be deobligated; and\n\n2D. Develop an employee training program covering the statutory basis for GSA\xe2\x80\x99s\n    Government-wide information technology programs and the underlying issues that\n    affect GSA\xe2\x80\x99s ability to accept and dispose of customer funds.\n\nFTS Commissioner\xe2\x80\x99s Comments\n\nThe Commissioner, Federal Technology Service, concurred with the recommendations.\n\n\nFinding 3 \xe2\x80\x93 Transferring Funds Between Orders\n\nCISS regularly transfers funds between orders. Often, CISS made the transfers to\noffset overspent orders. However, the Center for Information Security Services did not\nalways ensure that transfers of funds were between orders having a similar purpose\nand scope. As a result, CISS may not be fulfilling its fiduciary responsibility to properly\nmanage customer funds.\n\nGSA may use an agency\xe2\x80\x99s funds for any purpose within the scope of the interagency\nagreement that serves as the obligating document. Excess funds remaining from any\norder may be used for an additional project, provided that the additional project is within\nthe scope (addresses the same bona fide need) of the original interagency agreement.\nIf the additional project is not within the scope of the interagency agreement (does not\naddress the same bona fide need), remaining funds from the original order can not be\nused. The same bona fide requirement must still exist that was present at the time of\nthe initial obligation and the scope of the work must remain unchanged.\n\nCISS did not always ensure that transfers of funds were between orders having a\nsimilar purpose and scope. In one instance, CISS inappropriately transferred funds to\noffset an overspent order. Customer order 97001138 was funded by purchase orders\nreflecting at least two distinct needs of the requesting agency. CISS had not collected\ntwo years worth of charges associated with an employee who was detailed to the\nInteragency Operations Support Staff (IOSS) on a reimbursable basis. CISS, to\ncompensate for the overspending, transferred $111,494 from a purchase order that was\nspecifically for public key infrastructure support services. Our review of pertinent work\nstatements and purchase orders found that the public key infrastructure support\nservices were unrelated to the work performed at IOSS by the detailed employee.\nTherefore, customer funds were not properly managed in this instance.\n\n\n\n                                            18\n\x0cIn at least one other instance, instead of returning excess funds after the customer\xe2\x80\x99s\nbona fide need had been met, CISS used the funds for a new, unrelated order. Marine\nCorps order number 96001719 had a remaining balance of over $177,000 since about\nFebruary 1998. The original need, as indicated in the statement of work, was for a\nsystem and network integration project at Camp Pendleton in support of a logistics and\nsupply system. In response to our fieldwork, CISS contacted the customer about how to\ndispose of the $177,000. The Marines indicated that they did not want the funds\nreturned (they could not reprogram a 1996 annual appropriation) but \xe2\x80\x9cwould work on a\nplan to spend the remaining 177k.\xe2\x80\x9d As a result, CISS issued a task order for the\nremaining balance ($177,459) to provide \xe2\x80\x9cinformation technology and program\nmanagement support to the paperless acquisition programs.\xe2\x80\x9d Although the Marines\nindicated that they would provide information as to how the paperless acquisition\nprogram supported the original network integration project, the two statements of work\nwere completely dissimilar. Additionally, the paperless acquisition effort supported\nthree Marine Corps bases, not just Camp Pendleton. Our conclusion was that the bona\nfide need in support of the original order at Camp Pendleton had expired in 1998 and\nremaining funds should not have been transferred in support of a dissimilar\nrequirement.\n\nCISS has at least 590 inactive customer orders representing overspent and excess\namounts. These orders are candidates for write-offs or deobligation based on age and\ninactivity. CISS can not transfer excess funds to compensate overspent orders if the\ntransfers are between orders unrelated in purpose and scope (do not address the same\nbona fide need) or if the bona fide need pertaining to the order with excess funds does\nnot continue to exist.\n\nCISS must ensure that transfers of funds occur between orders with a similar purpose\nand scope. The order receiving the transferred funds must address the bona fide need\narticulated in the original interagency agreement. As with the Marine Corp example\ncited above, we suspect that the original bona fide needs pertaining to CISS\xe2\x80\x99 inactive\norders may not continue to exist. Therefore, inactive orders with excess balances might\nnot be used to compensate overspent orders.\n\nRecommendation\n3A. We recommend that the Director, Center for Information Security Services, ensure\n    that transfers of funds between orders occur only between those orders addressing\n    the same purpose and scope, i.e., addressing the bona fide need that was present\n    at the time of the initial obligation.\n\nFTS Commissioner\xe2\x80\x99s Comments\n\nThe Commissioner, Federal Technology Service, concurred with the recommendations.\n\n\n\n\n                                          19\n\x0cManagement\xe2\x80\x99s Preliminary Response\n\nCISS developed an action plan in response to our alert report issued November 29,\n2000. In their preliminary action plan, CISS had planned to:\n    \xe2\x80\xa2 reconcile customer orders;\n    \xe2\x80\xa2 eliminate the advance bill option;\n    \xe2\x80\xa2 modify their current billing system;\n    \xe2\x80\xa2 emphasize the impact of improper order management;\n    \xe2\x80\xa2 develop written guidance on the proper use of customer funds; and\n    \xe2\x80\xa2 include a Financial Management Critical Element in all Performance Plans.\n\nGenerally, these actions are consistent with our recommendations. Although we did not\nmention the elimination of the advance bill option, we anticipate this action will assist\nCISS in proper order management by increasing customers\xe2\x80\x99 interest in the financial\nstatus of orders and by increasing CISS\xe2\x80\x99 communication with customer.\n\n\nInternal Controls\n\nWe assessed the internal controls relevant to the management and use of funds made\navailable to the Center for Information Security Services as reimbursement for services\nprovided customer agencies. We concluded that the controls established were often\nineffective and provided little assurance that Government assets were reasonably\nprotected.\n\nWe concluded that the control environment, as presently constituted, did not provide\nreasonable assurance that fraudulent misapplication of customer agency funds would\nbe prevented. CISS regularly assigns control of a customer\xe2\x80\x99s account to a single project\nmanager. Our review noted the existence of customer accounts, containing large sums\nof money, that had been inactive for a considerable amount of time. We also noted that\ncertain customers were not aware of the existence of these unused funds. Given the\nabove, we concluded that a high potential exists for diversion of customer funds.\n\n\n\n\n                                           20\n\x0c                                                                     APPENDIX A\n\n                               REVIEW OF\n                CENTER FOR INFORMATION SECURITY SERVICES\n                      FEDERAL TECHNOLOGY SERVICE\n                    REPORT NUMBER A001031/T/5/Z01003\n\n                        Examples of Overspent Customer Orders\n\n             Customer           Last         Year        Amount        Overspent\n           Order Number     Service Date   Created      Obligated       Amount\n              (Note 1)        (Note 2)     (Note 3)     (Note 4)        (Note 5)\n\n             94000071          6/1/97        1994      $       -      $   301,259\n             98002043          4/1/99        1998      $ 510,000      $   234,231\n             96001616          5/1/99        1996      $ 2,040,066    $   210,069\n             98002534          6/1/99        1998      $    76,600    $   182,502\n             96001462         10/1/97        1996      $ 393,503      $   172,356\n             97002043          2/1/99        1997      $ 3,628,810    $   149,376\n             94000748         11/1/95        1994      $ 100,800      $   113,105\n             97001941          9/1/97        1997      $       -      $   110,000\n             98001138          2/1/98        1998      $       -      $   100,000\n             98002234         11/1/99        1998      $ 527,000      $    99,522\n             94000089         12/1/95        1994      $ 178,302      $    87,761\n             97001942         11/1/97        1997      $       -      $    81,432\n             96001389         12/1/96        1996      $    54,681    $    66,508\n             99001242          4/1/99        1999      $       -      $    66,300\n             98002283          4/1/99        1998      $ 114,636      $    57,576\n             98000490         11/1/99        1998      $ 483,051      $    50,584\n             96001699          4/1/98        1996      $    41,400    $    40,367\n             97001550         11/1/99        1997      $ 1,125,453    $    36,903\n             97000110          8/1/99        1997      $    74,367    $    35,833\n             98001942          9/1/99        1998      $       -      $    34,104\n             93000197          9/1/96        1993      $    35,681    $    32,759\n             94000782          5/1/99        1994      $ 846,932      $    28,704\n             93000220          5/1/96        1993      $    63,501    $    25,366\n             97000844          8/1/99        1997      $ 123,403      $    23,327\n             97002221         10/1/98        1997      $    57,100    $    21,248\n             96000779         10/1/96        1996      $ 184,310      $    21,131\n\n\n\nNotes:\n1. Our review of CISS\xe2\x80\x99 customer database revealed a total of 280 customer orders with\n   charges exceeding customer obligations by over $6.4 million. This appendix lists\n   those orders, of the 280 identified, with an overspent amount greater than $20,000\n   and with a date of last activity prior to January 1, 2000. For a complete discussion of\n   overspent orders, please refer to the report section entitled, FINDING 1 \xe2\x80\x93 OVERSPENT\n   CUSTOMER ORDERS DEPLETE THE IT FUND.\n\n\n                                           21\n\x0c                                                                       APPENDIX A\n\n                     Examples of Overspent Customer Orders\n                                  (Continued)\n\n\n2. The date shown represents the last time a charge was applied against the order. A\n   charge could represent technicians\xe2\x80\x99 time and materials, materials procured by CISS\n   for the order, contracting fees, and other types of related expenses.\n\n3. The year shown represents the Government\xe2\x80\x99s fiscal year, October 1 through\n   September 30.\n\n4. The amount obligated represents the amount made available by CISS\xe2\x80\x99 customer via\n   a signed purchase order. For orders showing a zero obligated amount, there were\n   no purchase orders or funding documents associated with the order.\n\n5. The overspent amount represents the amount obligated, less billed and unbilled\n   (accrued) amounts.\n\n\n\n\n                                         22\n\x0c                                                                               APPENDIX B\n\n                                REVIEW OF\n                 CENTER FOR INFORMATION SECURITY SERVICES\n                       FEDERAL TECHNOLOGY SERVICE\n                     REPORT NUMBER A001031/T/5/Z01003\n\n\n            Excess Funds That Should Be Considered for Deobligation\n                            As of November 2000\n\n             Year of                    Number of                  Total of\n          Last Activity             Customer Orders             Excess Funds\n            (Note 1)                                              (Note 2)\n\n             1994                           5               $            64,904\n             1995                          30                           197,080\n             1996                          49                           272,848\n             1997                         115                           939,367\n             1998                         145                         3,156,560\n             1999                         159                         3,278,175\n                          Totals:         503               $         7,908,934\n\nNotes:\n1. For the number of customer orders shown, the year of last activity represents the\n   year in which the last charges against these orders were recorded.\n\n2. For the year of last activity indicated, this amount represents the dollar total of all\n   customer orders with excess funds. Our review of CISS\xe2\x80\x99 customer database\n   revealed the existence of 503 customer orders with excess funds whose last service\n   date (date of last charge) was December 1999 or earlier. As this chart shows, there\n   are well over $1 million in customers orders that last saw activity during the period\n   1994 to 1997. We concluded that, based on age and inactivity, the bona fide need\n   constituting the basis for the orders shown no longer exists. Therefore, serious\n   consideration should be given to deobligating these amounts from the IT Fund, in\n   accordance with GSA policy\n\n\n\n\n                                                23\n\x0c                                                                              APPENDIX C\n\n                              REVIEW OF\n               CENTER FOR INFORMATION SECURITY SERVICES\n                     FEDERAL TECHNOLOGY SERVICE\n                   REPORT NUMBER A001031/T/5/Z01003\n\n                     Examples of Excess Customer Funds\n\n\n  Customer           Last         Year               Amount              Balance at\nOrder Number     Service Date   Created             Obligated          November 2000\n   (Note 1)        (Note 2)     (Note 3)            (Note 4)              (Note 5)\n\n 98001961           1/1/99       1998           $      2,241,357   $           970,352 (Note 6)\n 98001473          11/1/98       1998           $      1,386,627   $           914,621\n 98002487           6/1/99       1998           $        499,100   $           359,835\n 97002147          10/1/98       1997           $        319,700   $           218,368\n 96001632          10/1/98       1996           $      1,265,000   $           184,366\n 96001719           2/1/98       1996           $      1,423,000   $           177,643\n 97002211           4/1/99       1997           $      1,557,670   $           119,642\n 96001533           8/1/98       1996           $      2,752,522   $           117,060\n 94000271           4/1/98       1994           $        561,705   $           110,061\n 98002359          10/1/99       1998           $        532,983   $           101,966\n 97001138           8/1/98       1997           $        402,852   $            96,776\n 98000123           6/1/98       1998           $        101,286   $            93,014\n 97000837          10/1/97       1997           $        314,943   $            92,309\n 96001672           2/1/98       1996           $        350,000   $            89,677\n 97002182           6/1/98       1997           $        948,000   $            76,438\n 97002027           9/1/98       1997           $        600,000   $            71,715\n 97002111           3/1/99       1997           $        253,800   $            70,363\n 98000739          10/1/99       1998           $      2,007,920   $            67,213\n 97000908          10/1/97       1997           $        297,000   $            64,031\n 98002350          10/1/99       1998           $        272,000   $            63,581\n 98001608           9/1/99       1998           $         68,093   $            61,309\n 96001597           4/1/98       1996           $        100,000   $            60,457\n 97000661           8/1/98       1997           $        402,850   $            60,379\n 99002572           9/1/99       1999           $        104,700   $            59,233\n 98001909           1/1/99       1998           $        353,081   $            54,081\n 99002617          12/1/99       1999           $         87,550   $            52,489\n 96000790          11/1/97       1996           $         96,700   $            50,238\n 97000561           4/1/98       1997           $        197,565   $            50,000\n 94000214           6/1/96       1994           $         83,489   $            48,762\n 98002352           6/1/98       1998           $        110,000   $            48,739\n 98001905           7/1/99       1998           $        234,456   $            48,495\n 98002560          10/1/99       1998           $        124,440   $            48,397\n\n\n\n\n                                           24\n\x0c                                                                           APPENDIX C\n\n                   Examples of Excess Customer Funds\n                               (Continued)\n  Customer         Last         Year               Amount             Balance at\nOrder Number   Service Date   Created             Obligated         November 2000\n   (Note 1)      (Note 2)     (Note 3)            (Note 4)             (Note 5)\n\n 96001398         1/1/97       1996           $       473,755   $            47,700\n 99002525        11/1/99       1999           $        63,018   $            45,836\n 93000330         3/1/97       1993           $       905,585   $            45,461\n 98000936        10/1/98       1998           $       314,415   $            44,206\n 93000224        10/1/94       1993           $        61,677   $            44,080\n 97001568         1/1/97       1997           $       181,291   $            44,057\n 99002682        10/1/99       1999           $       695,000   $            43,982\n 94000577         9/1/98       1994           $       160,000   $            42,718\n 97002179         1/1/99       1997           $        85,109   $            41,794\n 99001985        10/1/99       1999           $        93,766   $            41,623\n 98002559         8/1/99       1998           $       329,400   $            41,536\n 99002753        12/1/99       1999           $        41,138   $            41,138\n 96001502        10/1/96       1996           $     1,267,116   $            40,000\n 97001950        10/1/99       1997           $    17,084,597   $            38,503\n 97001988         2/1/98       1997           $        88,000   $            36,299\n 96001528        10/1/98       1996           $       522,215   $            35,984\n 96001756        10/1/99       1996           $       566,214   $            35,736\n 98002382         7/1/98       1998           $        82,890   $            35,513\n 97002120        10/1/99       1997           $       170,146   $            35,465\n 94000777         2/1/95       1994           $        41,812   $            35,190\n 97002163         6/1/98       1997           $       491,026   $            35,102\n 95000117        11/1/97       1995           $       640,483   $            34,802\n 98002367        12/1/99       1998           $       715,610   $            34,214\n 98002537         9/1/99       1998           $        51,797   $            31,420\n 96001713         1/1/97       1996           $        91,189   $            30,527\n 97002137         6/1/99       1997           $       250,000   $            29,932\n 97001382        10/1/97       1997           $        66,618   $            29,669\n 97002281         6/1/98       1997           $        41,852   $            29,266\n 97001268         1/1/98       1997           $        53,000   $            28,862\n 97002065         5/1/99       1997           $       375,584   $            28,757\n 97002236        10/1/98       1997           $       145,000   $            28,051\n 96001549         7/1/97       1996           $     1,814,552   $            27,615\n 99000902        10/1/99       1999           $        41,954   $            27,556\n 98000413         3/1/99       1998           $        48,716   $            27,063\n 97001067        12/1/97       1997           $       142,923   $            26,960\n 96000314         3/1/97       1996           $       828,553   $            26,173\n 96001598        10/1/99       1996           $        91,437   $            26,110\n 96001242         1/1/99       1996           $       387,600   $            25,434\n\n\n                                         25\n\x0c                                                                          APPENDIX C\n\n                       Examples of Excess Customer Funds\n                                   (Continued)\n\nNotes:\n1. Our review of CISS\xe2\x80\x99 customer database revealed a total of 503 customer orders\n   whose last service date (see Note 2 below) was December 1999 or earlier. These\n   customer orders represented about $7.9 million in unused funds. This appendix lists\n   those orders, of the 503 identified, with a current balance in excess of $25,000. For\n   a complete discussion of unused funds, please refer to the report section entitled\n   FINDING 2 \xe2\x80\x93 EXCESS CUSTOMER FUNDS.\n\n2. The date shown represents the last time a charge was applied against the order. A\n   charge could represent technicians\xe2\x80\x99 time and materials, materials procured by CISS\n   for the order, contracting fees, and other types of related expenses.\n\n3. The year shown represents the Government\xe2\x80\x99s fiscal year, October 1 through\n   September 30.\n\n4. The amount obligated represents the amount made available by CISS\xe2\x80\x99 customer via\n   a signed purchase order.\n\n5. The customer order balance represents the amount obligated, less billed and\n   unbilled (accrued) amounts. The amounts shown are part of a pool of 503 customer\n   orders, with balances totaling over $7.9 million, that have been left unused by CISS\n   since December 1999 or earlier.\n\n6. This customer has a large balance because charges were applied to another\n   customer\xe2\x80\x99s order. See FINDING 1 \xe2\x80\x93 OVERSPENT CUSTOMER ORDERS DEPLETE THE IT\n   FUND, for a discussion of how a fragmented organization led to mistakes of this\n   magnitude.\n\n\n\n\n                                          26\n\x0c27\n\x0c                                                             APPENDIX E\n\n                                REVIEW OF\n                 CENTER FOR INFORMATION SECURITY SERVICES\n                       FEDERAL TECHNOLOGY SERVICE\n                     REPORT NUMBER A001031/T/5/Z01003\n\n\n                                REPORT DISTRIBUTION\n                                                             Copies\n\nCommissioner, Federal Technology Service (T)                   1\n\nDirector, Center for Information Security Services (TI)        1\n\nDirector, Office of the Chief Financial Officer (TC)           1\n\nExecutive Director, Greater Southwest Finance Center (7BC)     1\n\nAssistant Inspector General for Auditing (JA)                  3\n\nAudit Follow-up and Evaluation Branch (BECA)                   1\n\n\n\n\n                                             28\n\x0c"